IPSEC VPN with VTI over a private IP address

Johann · ‎11-18-2014

Hello,

I am actually trying to build a VTI tunnel. This case is a little particular ; as on the remote side i have router which is using a private ip address instead of a public (like i do habitually)

Router gi0/0 --> 4G Modem --> Internet --> to Headquarters Router (with public ip address)

10.253.110.1 with static public ip

On the 4G modem (Huawei B882) ; i setup a port translation for ports 50, 4500 & and 500 to the router.

Phase 1 is working

Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x 10.253.210.1 QM_IDLE 1007 ACTIVE

Router# sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.253.210.1

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 109.7.93.184 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.253.210.1, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

But the tunnel is still not mounting. Obviously phase 2 does not work. Some ipsec debug :

000426: Nov 18 09:18:23.677 CDT: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.253.210.1:500, remote= y.y.y.y:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

000428: Nov 18 09:18:23.677 CDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Router#
000429: Nov 18 09:18:53.677 CDT: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 10.253.210.1:0, remote= x.x.x.x:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0

Here are the keys elements of my configuration :

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key mykey address x.x.x.x

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile VTI
set transform-set 3DES-MD5

interface Tunnel0
description tunnel
bandwidth 100
ip address 10.253.110.1 255.255.255.0
ip tcp adjust-mss 1300
load-interval 30
qos pre-classify
keepalive 5 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel protection ipsec profile VTI

interface GigabitEthernet0/0
description WAN
ip address 10.253.210.1 255.255.255.0
load-interval 30
duplex auto
speed auto

ip route x.x.x.x 255.255.255.255 10.253.210.254

How can i troubleshoot the problem ?

Thanks for your help

David_Che · ‎11-18-2014

Both the remote and hub router will detect existence of NAT device in between, which caused the both routers switching over from UDP port 500 to UDP port 4500 to exchange IKE message. I can suspect there is no switch over taking place from you log(both using UDP 500), So I suggest you validate if both routers support NAT-T feature by checking if they are listening on UDP port 4500?